ISO 27001:2013 – Information Security Management Systems was released in September and slipped into use relatively quietly. The standard replaces ISO27001:2005. Whilst the overall intent of the standard remains the same and when you peel back the changes, most of the old standard remains. There are however enough changes that may require some effort to address.
One of the main changes is the format, instead of the 8 sections in the previous standard, plus the annex. There are now 10 sections and the Annex. This new format is the Annex SL format which is what will be used in all ISO quality standards going forwards. Yes standards have been standardised. One of the cheeky changes is that the Normative references and Terms and Definitions have been removed from the standard and are published separately (so yes you have to buy those). The new sections are:
- 0 Introduction – exactly what it says
- 1 Scope – states what the standard is about
- 2 Normative references – no longer included in the standard but a separate purchase 🙁
- 3 Terms and definitions – ditto
- 4 Context of the organisation – The old section 4 risk assessment component, now more aligned with ISO 31000
- 5 Leadership – This refers to the old standard's management responsibility requirement
- 6 Planning – More risk management and preventative and corrective processes
- 7 Support – Management support
- 8 Operation – the implement and operate section of the old standard
- 9 Performance evaluation – Monitoring, audit and management review
- 10 Improvement – Continuous Improvement
So still the same elements, but moved about a bit so you will end up having to make changes in your documentation. The main thing that has gone from the standard is the plan-do-check-act cycle, but when you read between the lines it is still there. You are still expected to plan the controls to be implemented, implement them, measure and update as needed just like the old one.
The Annex still links through to the ISO 27002 document and reduces the number of controls from 133 down to 114. A few have been removed and some have been combined. The number of domains has been increased to 14.
- 5 Information security policies
- 6 Organisation of information security
- 7 Human resource security
- 8 Asset management
- 9 Access control
- 10 Cryptography
- 11 Physical and environmental security
- 12 Operations security
- 13 Communications security
- 14 System acquisition, development and maintenance
- 15 Supplier relationships
- 16 Information security incident management
- 17 Information security aspects of business continuity management
- 18 Compliance
These are all pretty self explanatory.
With regards to the documentation and evidence you need keep in order to be compliant there are no significant changes. the main addiiton for most organisations will be the documentation requirements for Performance evaluation. The organisation will need to determine what needs to be measured and what evidence needs to be kept. As many organisations are weak in this, that will be the biggest change for many
You will have to check with your certifying body, but most of you will have between 12-24 months to implement the changes and certify to the new standard.
Mark H – Shearwater
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.